Why GM invites ethical hackers to try and hack its cars

If
there's a security vulnerability in an internet-connected car,
things can go badly wrong.Bill
Pugliano/Getty Images

GM invites hackers to try and hack their vehicles to
test their defenses.

As more and more cars become internet-connected, or
even self-driving, cybersecurity is going to be more important
than ever.

And the stakes are higher than ever before — because
unlike most traditional hacks, people's lives are
stake.

One morning, in the not-too-distant future, you're in a rush to
go to work — but when you put the keys in the ignition, your
shiny new car doesn't start.

Instead, a message flashes on the dashboard screen: You've been
hacked. Pay the hacker $500 (£407) within 24 hours, or you're
locked out of your vehicle permanently. It's outrageous
extortion, but you can't afford to miss this morning's meeting,
so you grit your teeth and pay.

And many security experts believe that as cars come online and
autonomous vehicles hit the streets, they could become the next
frontier for cyber-extortion and other forms of hacking.

"It doesn't take a great leap of faith," Raj Samani, chief
technology officer of Intel Security EMEA, said. "You can't
afford not to be able to use your vehicle ... there's certain
things that we take as essential to our work lives, our lives as
parents, and things like that, we're going to do what it takes."

Bug
bounties and vulnerability disclosure platforms are a popular way
to find potential security flaws.China Photos/Getty Images

The automotive industry isn't asleep to the threat posed by car
hacking. Over the last year or so, security researchers have made
frequent headlines by targeting internet-connected vehicles,
probing them for vulnerabilities and seeing what they can pull
off.

So when researchers successfully target a vehicle or automotive
company, it can make for some alarming headlines. But the
companies generally don't get angry. In fact, they welcome it.

Third-party researchers "provide us a unique perspective," Jeff
Massimilla, chief product cybersecurity officer for auto company
GM, told Business Insider at the Mobile World Congress tech
conference in Barcelona in February.

Contracted security firms — as well as GM's internal team — are
usually "trained to look at it one specific way." As a result,
they can miss things — whereas freelance researchers and "ethical
hackers" can bring diverse viewpoints, and find vulnerabilities
others might not think to look for.

GM's approach is by no means unique — most major tech companies
operate some kind of vulnerability disclosure program that
welcomes public submissions (so long as they abide by certain
ethical standards). The 108-year-old car company works with
Hacker One, an organization that connects companies to
researchers and provides a platform for disclosing risks.

Some companies even offer "bug bounties" — paying researchers
when they discover vulnerabilities in their platforms — but GM
hasn't gone down this route. "Our public program is coordinated
disclosure, it's the 'welcome mat,' and we provide credit to the
researchers," Massimilla said. The company does plan to offer
private bounties, via Hacker One, to select researchers in the
future.

Since the program's launch a year ago, it has had hundreds of
submissions, the executive said.

When it comes to cars, the stakes are far higher

If
it has to, GM's security team can take the nuclear option and cut
the connection to vehicles.Bill
Pugliano/Getty Images

If the security team at a social network misses something, worst
case scenario, a whole lot of user data and financial information
might get stolen. It's damaging — potentially company-ending —
but not the end of the world.

When it comes to protecting connected cars, the stakes are far
higher.

If GM finds a vulnerability in one of its connected vehicles,
what does it do? The response "can be anything from patches to
software, all the way to cutting the connection to vehicles if we
felt we had an imminent danger for our customers."

Vulnerability submissions aren't the only way GM security-tests
its vehicles, of course. Massimilla's team works throughout the
development of a vehicle to try and make sure it is secure, and
it also has a "red team" that fulfills a similar function to
ethical hackers in-house. And the executive is also the
vice-chairman of the
Auto ISAC, an industry body that shares information on
security issues among its members.

Massimilla wouldn't discuss the nature of the vulnerabilities it
has seen, whether submitted by ethical hackers or found in-house.
But he did confirm that GM is looking at the risks of ransomware,
among other threats.

"That is a very logical criminal behavior ... it's absolutely
something that we, along with many other things, [see] as what we
are trying to protect against in the vehicle."

Car hacking is worrying — but the alternative could be worse

The threat posed by car hacking is worrying — but Intel's Raj
Samani argues that there's a more worrying possibility. "The
biggest risk is that we don't have self-driving cars. We need
better tech in cars," because it's going to be safe than that
crazy taxi driver that knocked me down," referring to how he was
hit by a car in Brussels last year.

"But if people lose trust in self-driving cars or connected cars
because there is vulnerability, because there is ransomware,
because they suck up all your privacy and sell it off to
third-parties, then they're not going to go out and buy connected
cars."